diff options
| author |   Florian Westphal <fw@strlen.de> | 2022-08-26 15:32:25 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-09-07 15:43:51 +0200 |
| commit | 6e250dcbff1d3ce347b8294e4ec6da96a2cecdb5 (patch) | |
| tree | 006228ebc0e805fc52037d21d5c8f1cd1e6e4f16 /include/net/act_api.h | |
| parent | netfilter: conntrack: prepare tcp_in_window for ternary return value (diff) | |
| download | wireguard-linux-6e250dcbff1d3ce347b8294e4ec6da96a2cecdb5.tar.xz wireguard-linux-6e250dcbff1d3ce347b8294e4ec6da96a2cecdb5.zip | |
netfilter: conntrack: ignore overly delayed tcp packets
If 'nf_conntrack_tcp_loose' is off (the default), tcp packets that are
outside of the current window are marked as INVALID.
nf/iptables rulesets often drop such packets via 'ct state invalid' or
similar checks.
For overly delayed acks, this can be a nuisance if such 'invalid' packets
are also logged.
Since they are not invalid in a strict sense, just ignore them, i.e.
conntrack won't extend timeout or change state so that they do not match
invalid state rules anymore.
This also avoids unwantend connection stalls in case conntrack considers
retransmission (of data that did not reach the peer) as too old.
The else branch of the conditional becomes obsolete.
Next patch will reformant the now always-true if condition.
The existing workaround for data that exceeds the calculated receive
window is adjusted to use the 'ignore' state so that these packets do
not refresh the timeout or change state other than updating ->td_end.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/net/act_api.h')
0 files changed, 0 insertions, 0 deletions